September 23, 2009

If you have an account with Vanguard, the investment firm, you can experience it for yourself right here (works on IE7, IE8, or FF3). If not, you can watch a quick screencast of me phishing myself. Note that this is clearly not the Vanguard site, and yet after I enter my username, I'm shown my personal image (mine's a canoe! what's yours?). I didn't answer any security questions, and yet that's my personal image that only my bank and I are supposed to know. And here it is on some scammer's site. That's the unique part of my attack, and the most dangerous.

By the way, that screen at the end is where the scammer has just obtained your password and is happily emptying your bank account (since I'm nice, I just display a hash and don't save it).

I don't mean to pick on Vanguard, I just happened to have an account with them. A similar attack should be quite possible on Bank of America, HSA Bank, or anyone else who uses the SiteKey system. SiteKey is a scheme banks came up with in response to the large and largely-intractable problem posed by phishing. It's sometimes labeled as a "multi-factor authentication" system, but I think that's incorrect - it's more of a "mutual authentication" system. The site proves that they are legitimate by showing you a picture that you selected when you sign up. Since no one else could know what picture you have set, this proves that the site is who you think it is. At least, that's the theory.

My attack is simple. The first page is just a static page that looks exactly like Vanguard's home page - standard phishing fare. When you submit the form with your username, I build a page with an iframe pointing to the Vanguard site, passing it the username. As long as you've logged in from this computer before, the Vanguard site happily shows your personal image. Then I create a form outside of the iframe with a password field and a submit button, and float those elements over the iframe. So while you're seeing the Vanguard site in the background, you're entering your password into a form I control, and the submit button you click submits to my page. And just like that, I have your password.

I have your password. I did this with a freakin' Bachelor of Arts degree. It took me about three hours of messing around to get the basics set up, and another few hours to spit and polish. It's a couple of dumb HTML pages with a few snippets of PHP, and a pinch of Javascript thrown in. There is nothing sophisticated here. I don't think this even qualifies as a "hack." I think you should be concerned. This attack has been possible as long as SiteKey has been in existence, and I see no reason why I would be the only person to think this up. In all likelihood, some smart phisher out there is already doing this.

I learned retroactively that this technique is called UI Redressing, more commonly referred to as Clickjacking. It's behind a number of attacks, of which perhaps the most publicly visible (although not the most dangerous) was the Twitter "Don't Click" infection. Even worse, since my attack requires no clicking on the actual hidden elements, even NoScript's vaunted ClearClick technology doesn't detect it (NoScript does offer an opt-in to disable iframe content, which sounds like it should stop the attack, but it didn't work for me).

SiteKey was weak to begin with. It's bad enough that a vast majority of site users don't notice if the image is missing. And a weaker man-in-the-middle attack that involved asking security questions was demonstrated 3 years ago[pdf]. But this is worse. A malicious site that shows you your own handpicked image will lull you into a false sense of security. Who would think twice about providing personal information when that mountain stream or étouffée or whatever you picked is staring you right in the face? The banks have worked hard to train users to look for that image, and that very training can be turned against them to make phishing attacks even more successful than before. SiteKey is not just useless - it's worse than nothing at all.

I have been in contact with RSA Security, the vendors of SiteKey, about this attack. To their credit, they were very professional about the whole thing. They treated the matter seriously (I was surprised to get a response at all), and did not try to bullshit or bully me. So they get points for understanding how to make the vulnerability reporting process a productive one. They told me they have notified their clients about the problem and suggested corrective action. I imagine this action will consist of frame-busting Javascript and a proprietary IE8 header. I can only speculate because as of this posting, neither Vanguard nor HSA Bank have done anything to prevent the attack, even though it has been two months since I reported it. These changes will help, but the headers are opt-in and only work on newer browsers, and the Javascript isn't necessarily immune to circumvention. Besides, recall what I said about my qualifications as a security researcher. If I came up with this in a few hours of spare time, don't try to tell me there aren't similar attacks that could be discovered by a motivated person - say, someone who makes a living managing a phishing operation.

There's another reason I think SiteKey is worse than nothing. It's not just users who get a false sense of security from it - banks are biting on these supposed panaceas instead of facing up to the very difficult problem of performing real security. It's all too easy for companies to set arcane password rules and shell out money for "solutions" like SiteKey, and convince themselves that they've tried hard enough. Wrong. SiteKey is like a Mickey Mouse band aid on the wrong knee. Maybe it gets the three year old to stop crying, but it's not actually doing any good.

Epilogue

I know, I know, I'm such a negative person. Always bringing other people down. Complaining about what exists without offering any suggestions of my own. What would I propose to guard against phishing? Huh, tough guy?

I have to be honest - I don't see a silver bullet. Phishing is a serious threat, and one that preys on our inescapably human failings - inattention, belief that our perceptions are accurate, and willingness to adapt our actions to what we are presented with. I don't see it going anywhere any time soon. However, I think the Firefox address bar is a great start:If we have to train users to look for something, it should be this. Benefits:

It's client-side. No man-in-the-middle. No UI redressing. Short of a serious Firefox exploit or SSL vulnerability, there's no faking this part of the address bar.

It comes (I assume) from the SSL certificate, which is a pretty okay security measure, and one that any respectable site dealing with sensitive information already uses.

It's friendly and distinctive - it's big and green and it tells you the name of the company.

It's right next to the address bar, which encourages one to also check the URL. This is the original best security measure, and one that eBay and others have been advocating for years. I should point out that the pretty little Locationbar² plugin is helping here as well by highlighting the domain name so it stands out against the rest of the URL.

Still, this only works if you think to look. The danger of phishing is that you get caught at the end of a long day, or when you're in a hurry, or when fucking PayPal actually has deactivated your account three times in the past and you're so annoyed by the prospect of a fourth that you get careless and don't check.

I've got another suggestion, but this one is a lot further from reality. This is what I think could be, if we would spend less time on fake security and more time on real security.

Imagine, if you will, a world where PGP is commonplace. That's right, I'm evangelizing again. Imagine every email you receive is signed, and you have an extensive trust network. When you open an account at a new bank, the rep hands you a piece of paper with instructions on downloading the bank's public key and a fingerprint to verify it. Because PGP is so common, your email client actually throws up a big red warning saying "Hey! This signature is untrusted!" whenever you get email from someone whose key you haven't imported. Suddenly you have a proactive warning on every phishing email that comes through. Nobody is going to click through a message from their bank that is labeled as "untrusted." You could teach your grandparents that.

Is this a pipe dream? For now, yeah. But it's a good one - it's a world where email phishing is essentially solved.

Until then, keep checking your address bar.

Update (12/03/09): Looks like at some point in the past few months, Vanguard updated their site with some frame-busting Javascript, and now hides the pages if Javascript is disabled (bad news for accessibility, but arguably more secure). However, let me reiterate: the fact that they have stuck their finger in this leak doesn't mean there aren't other holes in the dike.

Another update: I sent this article to Jim Youll, the author of the original paper on SiteKey vulnerabilities. He emailed me back, and in his response was a remark that stuck with me: "they always say that the undisclosed back-end systems are the fail-safe for the front-end attacks. I don't think they're lying." At some point, it hit me: what if SiteKey is nothing more than security theater? Maybe they do know that it's useless. Maybe they don't expect it to stop anything. Maybe whatever fee they're shelling out isn't coming from the security budget, but from the marketing budget. If this is the case, I just hope the marketing spiel isn't working on the people who need to be doing the real security.

6 comments:

The RSA product security team would like to extend its appreciation for hearing from you in advance of your post last week. We take all responsible communication like yours very seriously and quickly confirmed no technical issues existed within our RSA Adaptive Authentication platform, including its Site-to-User module. As you referenced, we provided all RSA Adaptive Authentication customers with information about Clickjacking, the UI Redress attack that involves multiple and oftentimes transparent frames which can make certain Internet browsers vulnerable. Mitigations can include utilizing a Frame Buster or increasing the security within browsers.

In addition to site-to-user, RSA Adaptive Authentication works behind-the-scenes with a risk engine that monitors device identification, geo-location, behavioral profiling, and feeds from a networked community sharing fraud data. An anomaly can trigger an alert to initiate an out-of-band phone call or challenge/response questions in order to verify an identity.

Organizations that conduct business online should assume that all of their users’ PCs are compromised in some manner and should prepare their security infrastructures accordingly. You are right, there is no silver bullet in security. We recommend a comprehensive and systematic approach to help reduce online threats. This includes implementing multi-layered security such as risk-based authentication, two-factor authentication, transaction monitoring, and the shutting down of online attacks. We also encourage all Internet users to stay educated and take both technical and behavioral security precautions. There are dozens of resources online that provide tips and tricks to greatly help in this effort.

In your opinion how much safer do you think that some form of true two-factor authentication (I don't consider SiteKey to be two-factor - I'm referring to some physical keyfob with changing numbers or one-time passwords, possibly sent via SMS) would make things in an online banking scenario?

Well, true multifactor authentication definitely has some security benefits. For example, a brute force password attack is out of the question (assuming, of course, that the second channel is not compromised).

But the frightening power of phishing attacks is that they largely bypass this type of security. Multifactor provides no protection against a standard man-in-the-middle. If a fake site tricks me into giving my password, it can trick me into punching in my one-time code too.

I agree that SiteKey is not two-factor, and in fact I think the confused application of that term muddles the fact that it actually addresses a different need. Mutual authentication is about proving that the site you're about to log in to is the site you think it is, and unfortunately I don't think multifactor can help with that problem.

So I'm not totally opposed to real multifactor solutions, but they're no panacea, and the keyfob thing is a serious inconvenience. I shudder to imagine five years from now - I'll no longer have a different username and password for every site, I'll have a different username, password, and keyfob. I'll have to keep a little janitor's keyring next to my desk for all my fobs.

You make a great point about two-factor authentication not being a panacea for phishing exploits. Two-factor authentication schemes based on 1-time passwords should reduce some risk though because the exploit would have to be done at the same time (in-line) as the user's login, vs. later on.

The inconvenience of physical tokens is (generally) inversely proportional to the tech savvy of the user. Bank of America (and I assume some other banks) have a two-factor scheme based on 1-time passwords/pins sent via sms.

@matthewkrieger That's true, I suppose multifactor would defeat the information-harvesting model where sensitive data is collected and then auctioned in bulk.

SMS authentication is an interesting idea, and it's nice to see a creative approach to the field. I don't know enough about cell phone security to give an opinion on how attack-resistant it is, and I haven't had any firsthand experience with such a system. It may well be the wave of the future, though. There are just too many problems with passwords alone, and the continuing absence of any commonplace public key infrastructure means institutions are going to need to bootstrap their own solutions.